feat(build): fluidattacks#1064 arm64 container

- Add arm64 container job - Add amd64 container job - Modularize arch on container build - Temporarily disable doas as it is broken on cross compilation Signed-off-by: Daniel Salazar <podany270895@gmail.com>
dsalaza4 · Apr 4, 2023 · 8bda026 · 8bda026
1 parent c6c19e4
commit 8bda026
Show file tree

Hide file tree

Showing 15 changed files with 280 additions and 1,053 deletions.
diff --git a/.github/workflows/prod.yml b/.github/workflows/prod.yml
diff --git a/default.nix b/default.nix
@@ -6,8 +6,6 @@
     // {
       outputs."/cli/env/runtime" =
         import ./makes/cli/env/runtime/main.nix args;
-      outputs."/cli/env/runtime/pypi" =
-        import ./makes/cli/env/runtime/pypi/main.nix args;
       projectPath = import ./src/args/project-path args;
       projectSrc = ./.;
     };

diff --git a/makes.lock.nix b/makes.lock.nix
@@ -0,0 +1,3 @@
+{
+  makesSrc = ./.;
+}
diff --git a/makes.nix b/makes.nix
@@ -1,5 +1,6 @@
 {
   __nixpkgs__,
+  __nixpkgsCli__,
   fetchNixpkgs,
   inputs,
   outputs,
@@ -26,16 +27,27 @@
   };
   deployContainerImage = {
     images = {
-      makesLatest = {
+      makesLatestAmd64 = {
         attempts = 3;
         credentials = {
           token = "GITHUB_TOKEN";
           user = "GITHUB_ACTOR";
         };
         registry = "ghcr.io";
-        src = outputs."/container-image";
+        src = outputs."/container-image/amd64";
+        sign = true;
+        tag = "dsalaza4/makes/amd64:latest";
+      };
+      makesLatestArm64 = {
+        attempts = 3;
+        credentials = {
+          token = "GITHUB_TOKEN";
+          user = "GITHUB_ACTOR";
+        };
+        registry = "ghcr.io";
+        src = outputs."/container-image/arm64";
         sign = true;
-        tag = "fluidattacks/makes:latest";
+        tag = "dsalaza4/makes/arm64:latest";
       };
       makesPinned = {
         attempts = 3;
@@ -114,8 +126,18 @@
   };
   inputs = {
     nixpkgs = fetchNixpkgs {
-      rev = "f88fc7a04249cf230377dd11e04bf125d45e9abe";
-      sha256 = "1dkwcsgwyi76s1dqbrxll83a232h9ljwn4cps88w9fam68rf8qv3";
+      rev = "126f49a01de5b7e35a43fd43f891ecf6d3a51459";
+      sha256 = "sha256-T3o6NcQPwXjxJMn2shz86Chch4ljXgZn746c2caGxd8=";
+    };
+    architectures = {
+      native = {
+        pkgs = __nixpkgs__;
+        pkgsCli = __nixpkgsCli__;
+      };
+      arm64 = {
+        pkgs = __nixpkgs__.pkgsCross.armv7l-hf-multiplatform;
+        pkgsCli = __nixpkgsCli__.pkgsCross.armv7l-hf-multiplatform;
+      };
     };
   };
   lintBash = {

diff --git a/makes/cli/env/runtime/main.nix b/makes/cli/env/runtime/main.nix
@@ -1,19 +1,27 @@
 {
-  __nixpkgs__,
+  arch ? "native",
+  inputs,
   makeSearchPaths,
-  outputs,
   ...
-}:
-makeSearchPaths {
-  bin = [
-    __nixpkgs__.cachix
-    __nixpkgs__.git
-    __nixpkgs__.gnutar
-    __nixpkgs__.gzip
-    __nixpkgs__.nixStable
-    __nixpkgs__.openssh
-  ];
-  source = [
-    outputs."/cli/env/runtime/pypi"
-  ];
-}
+}: let
+  pkgs = inputs.architectures.${arch}.pkgs;
+  pkgsCli = inputs.architectures.${arch}.pkgsCli;
+in
+  makeSearchPaths {
+    bin = [
+      #pkgs.cachix
+      pkgs.git
+      pkgs.gnutar
+      pkgs.gzip
+      pkgs.nixStable
+      pkgs.openssh
+      (
+        pkgsCli.python310.withPackages (
+          ps: [
+            ps.rich
+            ps.textual
+          ]
+        )
+      )
+    ];
+  }
diff --git a/makes/cli/env/runtime/pypi/main.nix b/makes/cli/env/runtime/pypi/main.nix
diff --git a/makes/cli/env/runtime/pypi/pypi-deps.yaml b/makes/cli/env/runtime/pypi/pypi-deps.yaml
diff --git a/makes/cli/env/runtime/pypi/pypi-sources.yaml b/makes/cli/env/runtime/pypi/pypi-sources.yaml
diff --git a/makes/container-image/amd64/main.nix b/makes/container-image/amd64/main.nix
@@ -0,0 +1,14 @@
+{
+  inputs,
+  makeScript,
+  makeSearchPaths,
+  projectPath,
+  ...
+}:
+import (projectPath "/makes/container-image") {
+  arch = "native";
+  inherit inputs;
+  inherit makeScript;
+  inherit makeSearchPaths;
+  inherit projectPath;
+}
diff --git a/makes/container-image/arm64/main.nix b/makes/container-image/arm64/main.nix
@@ -0,0 +1,14 @@
+{
+  inputs,
+  makeScript,
+  makeSearchPaths,
+  projectPath,
+  ...
+}:
+import (projectPath "/makes/container-image") {
+  arch = "arm64";
+  inherit inputs;
+  inherit makeScript;
+  inherit makeSearchPaths;
+  inherit projectPath;
+}
diff --git a/makes/container-image/default.nix b/makes/container-image/default.nix
@@ -0,0 +1,157 @@
+{
+  arch ? "native",
+  inputs,
+  makeScript,
+  makeSearchPaths,
+  projectPath,
+}: let
+  pkgs = inputs.architectures.${arch}.pkgs;
+  makes = import (projectPath "/makes/main.nix") {
+    inherit arch;
+    inherit inputs;
+    inherit makeScript;
+    inherit makeSearchPaths;
+    inherit projectPath;
+  };
+in
+  pkgs.dockerTools.buildImage {
+    config = {
+      Env = [
+        "HOME=/home/root"
+        "PATH=/bin:/nix/var/nix/profiles/default/bin"
+        "USER=root"
+
+        # Certificate authorities
+        "GIT_SSL_CAINFO=/etc/ssl/certs/ca-bundle.crt"
+        "NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
+        "SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
+        "SYSTEM_CERTIFICATE_PATH=/etc/ssl/certs/ca-bundle.crt"
+      ];
+      User = "root:root";
+      WorkingDir = "/working-dir";
+    };
+    name = "container-image";
+    tag = "latest";
+    copyToRoot = pkgs.buildEnv {
+      name = "root-file-system";
+      ignoreCollisions = true;
+      paths = [
+        # Basic dependencies
+        pkgs.bashInteractive
+        pkgs.cacert
+        pkgs.coreutils
+        pkgs.git
+        pkgs.gnugrep
+        pkgs.gnutar
+        pkgs.gzip
+        pkgs.nix
+
+        # Add /usr/bin/env pointing to /bin/env
+        (pkgs.runCommand "user-bin-env" {} ''
+          mkdir -p $out/usr/bin
+          ln -s $(command -v env) $out/usr/bin/env
+        '')
+
+        # Create home directories
+        (pkgs.runCommand "home" {} ''
+          mkdir -p $out/home/makes
+          mkdir -p $out/home/root
+        '')
+        # Create empty temporary directories
+        (pkgs.runCommand "tmp" {} ''
+          mkdir -p $out/tmp
+          mkdir -p $out/var/tmp
+        '')
+        # Create the working directory
+        (pkgs.runCommand "working-directory" {} ''
+          mkdir -p $out/working-dir
+        '')
+
+        # Configure Nix
+        (pkgs.writeTextDir "home/makes/.config/nix/nix.conf" ''
+          build-users-group =
+        '')
+        (pkgs.writeTextDir "home/root/.config/nix/nix.conf" ''
+          build-users-group =
+        '')
+        (pkgs.writeTextDir "etc/nix/nix.conf" ''
+          build-users-group =
+        '')
+
+        # Configure SSH
+        (pkgs.writeTextDir "home/makes/.ssh/config" ''
+          Host *
+            StrictHostKeyChecking no
+        '')
+        (pkgs.writeTextDir "home/root/.ssh/config" ''
+          Host *
+            StrictHostKeyChecking no
+        '')
+
+        # Configure doas
+        (pkgs.writeTextDir "etc/doas.conf" ''
+          permit nopass keepenv root as makes
+        '')
+
+        # Add 3 groups
+        (pkgs.writeTextDir "etc/group" ''
+          root:x:0:
+          makes:x:48:
+          nobody:x:65534:
+        '')
+        (pkgs.writeTextDir "etc/gshadow" ''
+          root:*::
+          makes:*::
+          nobody:*::
+        '')
+
+        # Add 3 users, mapped to groups with their own name
+        (pkgs.writeTextDir "etc/passwd" ''
+          root:x:0:0:root:/home/root:/bin/bash
+          makes:x:48:48:makes:/home/makes:/bin/bash
+          nobody:x:65534:65534:nobody:/homeless:/bin/false
+        '')
+        (pkgs.writeTextDir "etc/shadow" ''
+          root:!x:::::::
+          makes:!x:::::::
+          nobody:!x:::::::
+        '')
+
+        # Miscelaneous configurations
+        (pkgs.writeTextDir "etc/login.defs" "")
+        (pkgs.writeTextDir "etc/nsswitch.conf" ''
+          hosts: dns files
+        '')
+        (pkgs.writeTextDir "etc/pam.d/other" ''
+          account sufficient pam_unix.so
+          auth sufficient pam_rootok.so
+          password requisite pam_unix.so nullok sha512
+          session required pam_unix.so
+        '')
+
+        # Add Makes:
+        # - By default, it runs as root (uid 0).
+        # - If `MAKES_NON_ROOT` is in the environment and non-empty,
+        #   makes will run as the makes user (uid > 0).
+        (pkgs.writeShellScriptBin "m" ''
+          if test -z "''${MAKES_NON_ROOT:-}"; then
+            ${makes}/bin/m "$@"
+          else
+            echo Using feature flag: MAKES_NON_ROOT
+
+            set -x
+            mkdir -p /nix/var/nix
+            chmod u+w /nix/store
+            chown makes:makes --recursive /nix
+            chown root:root $(realpath /etc/doas.conf)
+
+            chmod u+w /home/makes /tmp /working-dir
+            chown makes:makes /home/makes /tmp /working-dir
+            chown makes:makes --recursive "$PWD"
+
+            ${pkgs.doas}/bin/doas -u makes ${makes}/bin/m "$@"
+          fi
+        '')
+      ];
+    };
+  }